If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I have gotten a lot of positive feed back from the community about my tut. For this reason I have decided to not let the oppinion of 2 people get to me. I will not rewrite this tut because aeallison is right. It is short enough to be able to read just fine. For those guys who have gave me compliments and stuck up for me, thank you . For those people who negged me, Im sorry I can't please everyone, but I will make my next tutorial better .

Originally posted here by auxnymph This tutorial is interesting, but I want to track them back to the machine they sent the emails on. Any suggestions?

afaik, the only way is if you're on the same network as the machine that originally sent it, or if you're a cop or work at the isp that provides the net access for the machine that sent the message. in the first case, there should be some common trait in the way ip's are assigned. For example one room may be 192.168.0.100-120. Also, most routers will tell you the name of the computer an ip is leased to, then if you did a good naming scheme you can easily find the computer on the network. The other instance of being a cop with a warrant or working at the isp: If you're a cop you can talk to someone who can give you the info of which address(physical like a street address) of the owner of that ip. And if you work there you can get the info yourself.

Heretic's answer actually depends upon the ISP. Read the mail headers from the bottom up. You will often find that the first, (ie, last), "received from" will be prior to an actual mail server, (actual mail servers usually are reverse DNSable, (think I just invented a word ), thus it will show in the by portion of the received from line as both an IP and a FQDN. For example:-

Received From 192.168.1.1 by 208.xxx.xxx.xxx (mailserver.theirISP.com) at ............

It might have a private address, (192.168 etc.), as the received from address which tells you the ISP NAT's the traffic an the sending host is not publicly available but often the host is publicly available.

In increasing cases ISP's are not reporting the originating station so Heretic is quite right but it always pays to read the mail headers. In the case of viruses you will almost always see the IP of the originating station because the receiving mail server, (your ISP's), treats it as a mail server itself and reports the IP. That should at least give you a clue as to who might have sent it.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

indeed, and a firewall such as norton's Personal Firewall will actually tell you the city the IP is located in. It is remarkably accurate for what i've seen. (It told me what hotel cheyenne was staying in during some xperiements.) Well it told me where the domain resided, and the DNS was under "something HILTON HOTEL, and the address. Of course that will not be the case for personal computers, instead it will mention where the server is located.

I've actually been getting scanned for netBus from the same IP in my ISP for the past week...and its not a zombie. Norton tells me he's in Cambridge, but if I put my IP there, it will say the same...which is the city next to me.